The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

From VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

Associated with: CCI-002238

SV-99313r1_rule The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

Vulnerability discussion

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Check content

Check the "pam_tally2" configuration: # more /etc/pam.d/common-auth Confirm the following line is configured: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_ti me=86400 root_unlock_time=300 # more /etc/pam.d/common-account Confirm the following line is configured: account required pam_tally2.so If no such lines are found, this is a finding.

Fix text

Edit "/etc/pam.d/common-auth" file and add the following line: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 Edit "/etc/pam.d/common-account" file and add the following line: account required pam_tally2.so

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.